SolarWinds has released an emergency patch for CVE-2021-35211, a RCE vulnerability affecting its Serv-U Managed File Transfer and Serv-U Secure FTP that is currently being exploited in the wild.
“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers,” the company shared.
Microsoft has also shared a proof-of-concept exploit with SolarWinds, but no PoCs are publicly available at this time.
CVE-2021-35211 was unearthed in the SolarWinds Serv-U product by Microsoft’s Threat Intelligence Center (MSTIC) and Microsoft Offensive Security Research teams.
SolarWinds said they will be publishing additional details about the vulnerability once its customers have had enough time to implement the fix. In the meantime, we know that:
- It affects Serv-U 15.2.3 HF1 and all prior Serv-U versions – but does not exist if SSH is enabled for a Serv-U installation
- Allows attackers to perform remote code execution and to then install programs; view, change, or delete data; or run programs on the affected system
- Is not related to the SUNBURST supply chain attack
The company has shared some indicators of attack and other helpful information enterprise security teams can use to check whether their installations have been targeted.
Censys CTO Derek Abdine said they discovered over 8,000 Serv-U hosts on the internet, and also that a lot of those “present the same SSH host key fingerprint (which Serv-U exposes for SCP)”.
This thread has already become a monster, so I'm going to stop here and pull my thoughts into a blog post. But, we learned that there are a ton of Serv-U hosts sharing the same SSH private/public keys, rendering encrypted key exchange over SCP useless for these hosts (think mitm)
— Derek Abdine (@dabdine) July 13, 2021
UPDATE (July 14, 2021, 01:10 a.m. PT):
Microsoft has attributed these “limited and targeted attacks” to DEV-0322, which is targeting entities in the U.S. Defense Industrial Base Sector and software companies.
“This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” they shared. The company has provided advice for organizations on how to check whether they have been targeted / their Serv-U installations have been compromised.